PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9181 Esri CVE debrief

CVE-2026-9181 is a critical directory traversal vulnerability in ArcGIS Server. An unauthenticated attacker could exploit this issue by sending crafted path parameters. Successful exploitation could allow access to sensitive files on the system. This issue impacts all versions of ArcGIS Server 12.0 and prior. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. Organizations should prioritize patching to prevent potential unauthorized access to sensitive files.

Vendor
Esri
Product
ArcGIS Server
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-08
Advisory published
2026-07-06
Advisory updated
2026-07-08

Who should care

Organizations using ArcGIS Server 12.0 and prior versions should prioritize patching this vulnerability to prevent potential unauthorized access to sensitive files. This includes operators, security teams, and vulnerability management teams responsible for maintaining and securing ArcGIS Server deployments.

Technical summary

The vulnerability exists due to improper handling of path parameters in ArcGIS Server. An attacker can exploit this vulnerability by sending crafted requests, potentially leading to access to sensitive files on the system. The CVSS score for this vulnerability is 9.8, indicating a critical severity level. There is no information on the root cause or specific exploit details beyond the provided CVSS score and vulnerability description.

Defensive priority

High

Recommended defensive actions

  • Apply patches or updates provided by the vendor to vulnerable systems
  • Restrict access to ArcGIS Server to only trusted users and networks
  • Monitor ArcGIS Server logs for suspicious activity
  • Implement additional security controls, such as web application firewalls
  • Conduct regular vulnerability assessments and penetration testing
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-06T19:17:09.553Z and was last modified on 2026-07-08T03:09:46.867Z. The NVD entry is currently Analyzed. The evidence is limited, and defenders should verify the affected scope and severity with the vendor. The vulnerability exists in ArcGIS Server 12.0 and prior versions. There is no information on known or unknown affected scope beyond the provided details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T19:17:09.553Z and has not been modified since then. The NVD entry is currently Analyzed.